I would really like to start adding layers to my applications using Dynamic Layers and the QueryDataSource class. This would allow me to display some relatively complex relationships on the fly with minimal input from users and without having to pre-symbolize and anticipate all possible combinations in a map service beforehand.
My only concern is that exposing SQL queries through a client-side application might open us up to SQL injection. Is anyone out there working with the QueryDataSource class? Are there any built-in safegaurds against SQL injection?
I think this is hitting a REST Endpoint so the security is handled by ArcServer.
It looks like the parameter "useStandardizedQueries" that was added at 10.2 http://resources.arcgis.com/en/help/arcgis-rest-api/index.html#//02r3000000p1000000 likely addresses my concern.